s4:dsdb: Add function to determine whether we have system access

This takes into account the dsdb session info, as well as the presence
or absence of an AS_SYSTEM control.

Signed-off-by: Jo Sutton <josutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

diff --git a/source4/dsdb/samdb/ldb_modules/util.c b/source4/dsdb/samdb/ldb_modules/util.c
index 04dd055ef4d244811cfe2fd51e5cdb6b3b4e2a2b..6e87531ed3843cfbbe2df24c51273be763a8e501 100644 (file)
--- a/source4/dsdb/samdb/ldb_modules/util.c
+++ b/source4/dsdb/samdb/ldb_modules/util.c
@@ -1155,6 +1155,33 @@ bool dsdb_module_am_administrator(struct ldb_module *module)
        return security_session_user_level(session_info, NULL) == SECURITY_ADMINISTRATOR;
 }
 
+/*
+ * Return ‘true’ if the caller has system access. The ‘acl’ module passes
+ * SYSTEM_CONTROL_STRIP_CRITICAL when it wants to strip the critical flag.
+ */
+bool dsdb_have_system_access(
+       struct ldb_module *module,
+       struct ldb_request *req,
+       const enum system_control_strip_critical strip_critical)
+{
+       struct ldb_control *as_system = NULL;
+
+       as_system = ldb_request_get_control(req, LDB_CONTROL_AS_SYSTEM_OID);
+       if (as_system != NULL) {
+               switch (strip_critical) {
+               case SYSTEM_CONTROL_KEEP_CRITICAL:
+                       break;
+               case SYSTEM_CONTROL_STRIP_CRITICAL:
+                       as_system->critical = 0;
+                       break;
+               }
+
+               return true;
+       }
+
+       return dsdb_module_am_system(module);
+}
+
 /*
   check if the recyclebin is enabled
  */

diff --git a/source4/dsdb/samdb/ldb_modules/util.h b/source4/dsdb/samdb/ldb_modules/util.h
index e512992b7a6d7f22ba979dc1e10d6cf7752485ad..b4102a4306e05c3ef6443d748cf42beed150b603 100644 (file)
--- a/source4/dsdb/samdb/ldb_modules/util.h
+++ b/source4/dsdb/samdb/ldb_modules/util.h
@@ -30,6 +30,11 @@ struct security_descriptor;
 struct dom_sid;
 struct netlogon_samlogon_response;
 
+enum system_control_strip_critical {
+       SYSTEM_CONTROL_KEEP_CRITICAL,
+       SYSTEM_CONTROL_STRIP_CRITICAL,
+};
+
 #include "librpc/gen_ndr/misc.h"
 #include "librpc/gen_ndr/security.h"
 #include "dsdb/samdb/ldb_modules/util_proto.h"